send_email auth hook email_change event does not contain token when linking phone users to email/password with updateUser #2100
Description
Bug report
- I confirm this is a bug with Supabase, not with my own application.
- I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
When calling updateUser({email: newEmail}) for a phone login user (who has no existing email) with secure email change enabled, the auth hook receives both token and new_token as empty strings. This prevents proper email verification, as the OTP required to confirm the new email is not provided in the hook.
To Reproduce
Steps to reproduce the behavior:
- Create a user authenticated via phone login (no email associated with the account).
- Enable secure email change in the Supabase Auth configuration.
- Call
updateUser({email: newEmail})to add an email to the phone login user. - Observe the auth hook input for the email change event.
- Note that both
tokenandnew_tokenare empty strings.
Expected behavior
For a phone login user without an existing email adding a new email:
tokenshould contain the OTP generated for verifying the new email.new_tokenshould be an empty string, as there is no existing email to verify.
Screenshots
N/A
System information
- OS: [e.g., macOS, Windows]
- Browser (if applicable): [e.g., Chrome, Safari]
- Version of supabase-js: 2.53.0
- Version of Node.js: 22
Additional context
I've read about #2044, the changes should've fixed the empty token issue, but seems like phone users is not covered, please correct me if I am wrong. Thanks for the help :)